[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?
Dmitri Pal
dpal at redhat.com
Tue Feb 14 19:43:56 UTC 2012
I hit reply instead of reply all again. Sorry. Adding the list back.
On 02/14/2012 02:43 PM, Dmitri Pal wrote:
> On 02/13/2012 12:43 PM, Marco Pizzoli wrote:
>> Hi Adam,
>>
>> On Mon, Feb 13, 2012 at 5:58 PM, Adam Young <ayoung at redhat.com
>> <mailto:ayoung at redhat.com>> wrote:
>>
>> On 02/12/2012 04:00 PM, Marco Pizzoli wrote:
>>> Hi,
>>> I see DogTag PKI used as a certificate server for the enrollment
>>> of hosts and services.
>>> What about the enrollment of normal X509v3 certificates? I have
>>> not seen, correct me if I'm wrong, any reference to the
>>> possibility to use it as a regular CA for user certificates. Not
>>> within FreeIPA, of course.
>>>
>>> Is there any drawback in using it as the primary CA for the company?
>>
>> It is a full CA. You can use it as such. Dogtag is a vibrant
>> project in its own right, and you can find developers on
>> #dogtag-pki in Freenode. The install is done via pkisilent, and
>> you might want to make sure that you understand the parameters
>> used to call it.
>>
>>
>> I will. Thanks for the pointer.
>>
>>
>> One major drawback is that IPA has disabled Nonces in the Dogtag
>> backend. These are there to defend against a CSRF attack. What
>> this means is that you should not expose the Dogtag WebUI through
>> the IPA server, either on its Dogtag port or via HTTP proxy. It
>> should be explicitly stated that IPA implements Nonces for its
>> web UI, and does not allow session based calls through to the
>> Dogtag back end, so its configuration is secure. The problem is
>> only exposed if you expose additional web URLs to the Dogtag
>> backend beyond those specified in the PKI Proxy.
>>
>> Enabling nonces will break IPA.
>>
>>
>> You told me something I wasn't aware of. I will dig into this during
>> next weeks.
>>
>>
>> I've installed and used the standard Java tools for Dogtag and
>> used them to talk to the PKI backend installed by IPA. They work
>> fine.
>>
>>
>> Ok, this is what I hoped to read! :-)
>>
>> Currently, IPA acts as a single Agent in Dogtag. This should
>> be fine. For other certificate usage, you should probably use
>> a different agent.
>>
>>
>> Please be patient with me, I don't understand yet the concept of
>> "agent". Even a reference to the documentation would be helpful to me.
>>
>
>
> "Agent" is client side software that can connect to CA, authenticate
> and has a role to perform specific operations against CA.
>
>> IPA does not currently support user certificates. However,
>> there are standard LDAP object classes and attributes that you
>> could conceivably use to record them if you wanted to keep them
>> in a single DirSrv. Obviosuly, you do not want to put the
>> private keys on the IPA server, so plan accordingly.
>>
>>
>> I will, I promise :-)
>>
>>
>> Red Hat does not support using the Certificate Server (PKI)
>> backend with its Identity management install for purposes other
>> than support for the IdM (IPA) front end, so beware that you have
>> no "up sell" if you desire to get paid support for IPA.
>>
>>
>> I understand.
>> I link a question I'm curious of: if I remember correctly, on the
>> PKI-user mailing list I read a user complaining about RH not selling
>> RHCS standalone anymore. Is it true?
>
> It is true to some extent.
> It is sold under special conditions. For more info on RHCS sales
> conditions you need to go via official RH channels.
>
>>
>> You've been very helpful! Your blog too.. :-)
>> Thanks a lot!
>> Marco
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120214/1078a7d4/attachment.htm>
More information about the Freeipa-users
mailing list